1 |
jpp |
1.1 |
# Fix for stack buffer overflow in src/printf.c, backpotred from upstream |
2 |
|
|
# Bugzilla: rhbz#1212357 |
3 |
|
|
# Original fix: https://www.sqlite.org/src/info/aeca95ac77f6f320 |
4 |
|
|
|
5 |
|
|
diff -up sqlite-src-3071700/src/printf.c.old sqlite-src-3071700/src/printf.c |
6 |
|
|
--- sqlite-src-3071700/src/printf.c.old 2015-07-03 10:54:17.644940587 +0200 |
7 |
|
|
+++ sqlite-src-3071700/src/printf.c 2015-07-03 11:52:50.704122467 +0200 |
8 |
|
|
@@ -233,14 +233,17 @@ void sqlite3VXPrintf( |
9 |
|
|
width = va_arg(ap,int); |
10 |
|
|
if( width<0 ){ |
11 |
|
|
flag_leftjustify = 1; |
12 |
|
|
- width = -width; |
13 |
|
|
+ width = width >= -2147483647 ? -width : 0; |
14 |
|
|
} |
15 |
|
|
c = *++fmt; |
16 |
|
|
}else{ |
17 |
|
|
+ unsigned wx = 0; |
18 |
|
|
while( c>='0' && c<='9' ){ |
19 |
|
|
- width = width*10 + c - '0'; |
20 |
|
|
+ wx = wx*10 + c - '0'; |
21 |
|
|
c = *++fmt; |
22 |
|
|
} |
23 |
|
|
+ testcase( wx>0x7fffffff ); |
24 |
|
|
+ width = wx & 0x7fffffff; |
25 |
|
|
} |
26 |
|
|
/* Get the precision */ |
27 |
|
|
if( c=='.' ){ |
28 |
|
|
@@ -248,13 +251,18 @@ void sqlite3VXPrintf( |
29 |
|
|
c = *++fmt; |
30 |
|
|
if( c=='*' ){ |
31 |
|
|
precision = va_arg(ap,int); |
32 |
|
|
- if( precision<0 ) precision = -precision; |
33 |
|
|
c = *++fmt; |
34 |
|
|
+ if( precision<0 ) { |
35 |
|
|
+ precision = precision >= -2147483647 ? -precision : -1; |
36 |
|
|
+ } |
37 |
|
|
}else{ |
38 |
|
|
+ unsigned px = 0; |
39 |
|
|
while( c>='0' && c<='9' ){ |
40 |
|
|
- precision = precision*10 + c - '0'; |
41 |
|
|
+ px = px*10 + c - '0'; |
42 |
|
|
c = *++fmt; |
43 |
|
|
} |
44 |
|
|
+ testcase( px>0x7fffffff ); |
45 |
|
|
+ precision = px & 0x7fffffff; |
46 |
|
|
} |
47 |
|
|
}else{ |
48 |
|
|
precision = -1; |
49 |
|
|
@@ -418,7 +426,8 @@ void sqlite3VXPrintf( |
50 |
|
|
for(idx=precision, rounder=0.4999; idx>0; idx--, rounder*=0.1); |
51 |
|
|
#else |
52 |
|
|
/* It makes more sense to use 0.5 */ |
53 |
|
|
- for(idx=precision, rounder=0.5; idx>0; idx--, rounder*=0.1){} |
54 |
|
|
+ testcase( precision>0xfff ); |
55 |
|
|
+ for(idx=precision&0xfff, rounder=0.5; idx>0; idx--, rounder*=0.1){} |
56 |
|
|
#endif |
57 |
|
|
if( xtype==etFLOAT ) realvalue += rounder; |
58 |
|
|
/* Normalize realvalue to within 10.0 > realvalue >= 1.0 */ |
59 |
|
|
@@ -474,8 +483,10 @@ void sqlite3VXPrintf( |
60 |
|
|
}else{ |
61 |
|
|
e2 = exp; |
62 |
|
|
} |
63 |
|
|
- if( e2+precision+width > etBUFSIZE - 15 ){ |
64 |
|
|
- bufpt = zExtra = sqlite3Malloc( e2+precision+width+15 ); |
65 |
|
|
+ if( e2+(i64)precision+(i64)width > etBUFSIZE - 15 ){ |
66 |
|
|
+ bufpt = zExtra = sqlite3Malloc( |
67 |
|
|
+ e2+(i64)precision+(i64)width+15 |
68 |
|
|
+ ); |
69 |
|
|
if( bufpt==0 ){ |
70 |
|
|
pAccum->mallocFailed = 1; |
71 |
|
|
return; |
72 |
|
|
|
73 |
|
|
diff -up sqlite-src-3071700/test/printf.test.old sqlite-src-3071700/test/printf.test |
74 |
|
|
--- sqlite-src-3071700/test/printf.test.old 2015-07-03 10:32:28.552140602 +0200 |
75 |
|
|
+++ sqlite-src-3071700/test/printf.test 2015-07-03 10:35:15.858079592 +0200 |
76 |
|
|
@@ -472,6 +472,18 @@ do_test printf-1.16.7 { |
77 |
|
|
sqlite3_mprintf_int {abc: (%#6d) (%#6x) (%#6o) :xyz}\ |
78 |
|
|
0xff676981 0xff676981 0xff676981 |
79 |
|
|
} {abc: (-9999999) (0xff676981) (037731664601) :xyz} |
80 |
|
|
+do_test printf-1.17.1 { |
81 |
|
|
+ sqlite3_mprintf_int {abd: %2147483647d %2147483647x %2147483647o} 1 1 1 |
82 |
|
|
+} {} |
83 |
|
|
+do_test printf-1.17.2 { |
84 |
|
|
+ sqlite3_mprintf_int {abd: %*d %x} 2147483647 1 1 |
85 |
|
|
+} {} |
86 |
|
|
+do_test printf-1.17.3 { |
87 |
|
|
+ sqlite3_mprintf_int {abd: %*d %x} -2147483648 1 1 |
88 |
|
|
+} {abd: 1 1} |
89 |
|
|
+do_test printf-1.17.4 { |
90 |
|
|
+ sqlite3_mprintf_int {abd: %.2147483648d %x %x} 1 1 1 |
91 |
|
|
+} {/.*/} |
92 |
|
|
do_test printf-2.1.1.1 { |
93 |
|
|
sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 0.001 |
94 |
|
|
} {abc: (0.0) :xyz} |
95 |
|
|
@@ -526,6 +538,9 @@ do_test printf-2.1.2.8 { |
96 |
|
|
do_test printf-2.1.2.9 { |
97 |
|
|
sqlite3_mprintf_double {abc: %d %d (%1.1g) :xyz} 1 1 1.0e-20 |
98 |
|
|
} {abc: 1 1 (1e-20) :xyz} |
99 |
|
|
+do_test printf-2.1.2.10 { |
100 |
|
|
+ sqlite3_mprintf_double {abc: %*.*f} 2000000000 1000000000 1.0e-20 |
101 |
|
|
+} {abc: } |
102 |
|
|
do_test printf-2.1.3.1 { |
103 |
|
|
sqlite3_mprintf_double {abc: (%*.*f) :xyz} 1 1 1.0 |
104 |
|
|
} {abc: (1.0) :xyz} |
105 |
|
|
@@ -3466,6 +3481,15 @@ do_test printf-3.5 { |
106 |
|
|
do_test printf-3.6 { |
107 |
|
|
sqlite3_mprintf_str {%d %d A String: (%-30s)} 1 2 {This is the string} |
108 |
|
|
} [format {%d %d A String: (%-30s)} 1 2 {This is the string}] |
109 |
|
|
+do_test printf-3.7 { |
110 |
|
|
+ sqlite3_mprintf_str {%d A String: (%*s)} 1 2147483647 {This is the string} |
111 |
|
|
+} [] |
112 |
|
|
+do_test printf-3.8 { |
113 |
|
|
+ sqlite3_mprintf_str {%d A String: (%*s)} 1 -2147483648 {This is the string} |
114 |
|
|
+} {1 A String: (This is the string)} |
115 |
|
|
+do_test printf-3.9 { |
116 |
|
|
+ sqlite3_mprintf_str {%d A String: (%.*s)} 1 -2147483648 {This is the string} |
117 |
|
|
+} {1 A String: (This is the string)} |
118 |
|
|
do_test snprintf-3.11 { |
119 |
|
|
sqlite3_snprintf_str 2 {x%d %d %s} 10 10 {This is the string} |
120 |
|
|
} {x} |
121 |
|
|
@@ -3685,6 +3709,9 @@ do_test printf-13.5 { |
122 |
|
|
do_test printf-13.6 { |
123 |
|
|
sqlite3_mprintf_hexdouble %.20f fff8000000000000 |
124 |
|
|
} {NaN} |
125 |
|
|
+do_test printf-13.7 { |
126 |
|
|
+ sqlite3_mprintf_hexdouble %2147483648.10000f 4693b8b5b5056e17 |
127 |
|
|
+} {/100000000000000000000000000000000.00/} |
128 |
|
|
|
129 |
|
|
do_test printf-14.1 { |
130 |
|
|
sqlite3_mprintf_str {abc-%y-123} 0 0 {not used} |